| Título | matthewdeaves Willow CMS v1.4.0 Remote Code Execution |
|---|
| Descripción | The "Add Image" function suffers from an Insecure File Upload vulnerability, allowing an authenticated attacker to upload arbitrary executable files, leading to Remote Code Execution (RCE). The system's file type verification mechanism is insufficient and can be bypassed by manipulating the file's header.
Proof of Concept (PoC)
1 - The attacker requires Administrative Privileges to access the vulnerable endpoint: http://target.com/admin/images/add.
2 - A malicious PHP webshell payload is created.
3 - To evade the file type check, the attacker "crafts" the PHP file by prepending the JPEG Magic Numbers (FF D8 FF E0 or similar, such as FF D8 FF EE) to the start of the PHP code. This simulates a valid JPEG file header.
4 - The disguised payload is uploaded via the "Add Image" function.
5 - The server accepts the file as a seemingly valid image and stores it on the host.
6- By accessing the direct URL of the uploaded file, the PHP script is executed by the web server, granting the attacker a webshell and Direct RCE on the host.
Video: https://www.youtube.com/watch?v=zacD0QLUYs8 |
|---|
| Fuente | ⚠️ https://github.com/matthewdeaves/willow/issues/132 |
|---|
| Usuario | RiccK (UID 91602) |
|---|
| Sumisión | 2025-10-14 02:07 (hace 8 meses) |
|---|
| Moderación | 2025-10-27 13:13 (14 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 330116 [Willow CMS hasta 1.4.0 /admin/images/add escalada de privilegios] |
|---|
| Puntos | 20 |
|---|